Ensures that when a wrapper around a WebNode is create via the
toElement() or toConstElement() calls that the refcount on the WebNode
is increased, by forcing a call to WebNode::assign(). This is needed
so that the following code:
{

WebNode n = someNode();
WebElement e = n.toElement<WebElement>();

}
does not decrease the overall refcount on the Node that someNode()
returns.

The new string returned by fastStrDup is obtained with fastMalloc,
and can be freed with fastFree. This makes the memory management
more consistent because we don't need to keep strdup allocated pointers
and free them with free(). Instead we can use fastFree everywhere.

wtf/Platform.h: Add a "HISTORY_ALWAYS_ASYNC" enable and turn it on for Chromium.

WebCore:

In resolving ​https://bugs.webkit.org/show_bug.cgi?id=25570, all history.back()/forward()/go() navigations
were made asynchronous. That doesn't agree with the HTML5 spec and might have been overreaching for fixing
that particular bug. In working with the new history state APIs I noticed some things that should've been
possible were not possible because of this change.

The change in loading behavior is well covered via modifications to previous tests.

loader/RedirectScheduler.cpp:

(WebCore::RedirectScheduler::scheduleHistoryNavigation): Determine beforehand if the traversal is

a same-document navigation. If it is, perform the load directly instead of scheduling it.

LayoutTests:

The change in loading behavior is well covered via modifications to these previous tests:

Fixed <rdar://problem/7562574> ASSERT in WebCore::removeWrapper() at the
end of run-webkit-tests

This was an ASSERT-only bug, introduced by isolated worlds, which
created the novelty of a wrapper that might outlive its wrapper cache.

When a wrapper outlived its wrapper cache, both the wrapper's destructor
and the wrapper cache's destructor would claim to have uncached the wrapper,
causing an ASSERT to fire.

The solution is to distinguish between operations that logically add and
remove cache entries, and operations that delete whole caches. We track
when a cache entry is logically added, and when it's logically removed,
independent of whether the actual cache still exists.

bindings/js/JSDOMBinding.cpp:
(WebCore::willCacheWrapper):
(WebCore::didUncacheWrapper): New names for these functions to help
explain what they track.

(WebCore::DOMWrapperWorld::~DOMWrapperWorld): Don't claim to uncache
all the wrappers in the world; we're deleting the cache, not managing its
entries.

Rewrite SVG DOM JSC bindings to use a global DOMObject <-> SVGElement context map, similar to V8's approach.
This allows us to remove DOMObjectWithSVGContext and make all SVG JS objects use DOMObjectWithGlobalPointer.
We're fitting again in JS_CELL_SIZE, and there's no need to special case SVG anymore.

Not adding a new test, as we have yet to identify how to test that we're passing around correct global objects.
For now this is just a code cleanup which lets me continue making progress in that area of the code.

rendering/RenderBox.cpp:
(WebCore::RenderBox::paintMaskImages): Check that all mask images (both the single mask-box-image,
and the possibly multiple mask-image) are fully loaded before allowing the masked content to render.
If they are not fully loaded, use a fully transparent transparency layer.

rendering/style/FillLayer.h:

rendering/style/FillLayer.cpp:
(WebCore::FillLayer::imagesAreLoaded): New utility function that returns true if the image
in every FillLayer is loaded.

Fix reaction on window size changes for relative sized elements within <symbol> elements.
Don't evaluate SVGUseElement width/height attributes in order to propagate them to the shadow tree,
instead just propagate the attribute values itself so "100%" remains "100%" instead of being evaluated
to an absolute pixel value in the parent <svg> user-space.

Needs another fix in SVGStyledElement::childrenChanged(), which is a regression from my last <use>
patch, that hasn't been detected, as the use-dynamic-append.svg testcase was broken.

The combination of all the last <use> patches finally fixes the peepo.co.uk website, which was broken by several bugs for years.

I couldn't make a test for this, after trying rather hard. I'm not too worried, because such
a test has to depend on details of current implementation so intimately that it would become
ineffective very quickly anyway.

loader/FrameLoader.cpp: (WebCore::FrameLoader::stopAllLoaders): Stop the check timer, we
don't need it after aborting load.

Added platform specific (incorrect) results for plugins/mouse-events* for Windows,
and removed mouse-events from the Windows Skipped list. The landing of correct results
for these tests is being tracked by <​http://webkit.org/b/33973>.

AXObjectCache::getOrCreate() now has a case for ScrollBarRole,
which will create a new AccessibilityScrollbar. I also added a new
version of postNotification() that does not require a renderer. The
old postNotification() calls the new one.

For vgGetError(), I missed the part of the spec where
it says that calling that function clears the error
and subsequent calls will return VG_NO_ERROR again.

For eglGetError(), the specification doesn't mention
that kind of behavior, and interpretations seem to
differ between EGL implementations (even within
Khronos: the OpenVG reference implementation doesn't
reset the error code - and even mentions the difference
to vgGetError() in a comment - whereas the online
OpenGL ES API document explicitly specifies clearing
the error code).

It thus makes sense not to call either of the two
error functions more than once for checking a single
EGL/OpenVG call. This patch adapts assertions to
accommodate for this behavior, and also needs to
change surface creation methods as they previously
relied on multiple calls of eglGetError().

Ideally the getOwnPropertyDescriptor() reimplementation should return an
access descriptor that wraps the property getter and setter callbacks, but
that approach is much more involved than returning a value descriptor.
Keep it simple for now.

RenderWidget::paint()'s strategy of moving widgets at paint time, using tx and ty, was flawed
because tx,ty are not always root-relative, especially when painting into compositing layers.
This would move widgets to the wrong location, which caused hit testing issues.

Widgets are usually positioned by layout. The one time this was not true was scrolling fixed-position
elements, so we now reposition widgets after scrolling too.

There was a related problem, which was that widgets expect the graphics context to be set up for
root-relative painting. To fix this, adjust the CTM and the paintRect when the widget's frameRect
is in a different coordinate system to the painting offset.

Test: plugins/mouse-events-fixedpos.html

page/FrameView.cpp:
(WebCore::FrameView::scrollPositionChanged): Update widget positions, to handle widgets in fixed position
elements, but only if we're not already inside of layout.

Use the standard WebKit header in bridge/npruntime.h.
Include PlatformBridge.h instead of ChroimiumBridge.h.
Add popupsAllowed() method to PlatformBridge.h on Android.
Add ARRAYSIZE_UNSAFE to PlatformBridge.h on Android.

Inside V8DOMWrapper.h[cpp], the code for XPATH and XSLT features is not guarded
by the appropriate #if ENABLE(feature) macros. Add the missing guards.
V8DOMWrapper.cpp includes ChromiumBridge.h for no reason. Remove the include.

compositing
(QWebPageClient::setRootGraphicsLayer): let QGraphicsWebView know that
compositing has started/ended
(QWebPageClient::markForSync): let QGraphicsWebView know the
compositing layers need to sync, either soon or with the next update

WebKit/qt:

Here we have the QGraphicsWebView support for accelerated compositing

Api/qgraphicswebview.cpp:

(QGraphicsWebViewOverlay::q): access to container object
(QGraphicsWebViewOverlay::boundingRect): overlay has same rect as the
webview
(QGraphicsWebViewOverlay::paint): paint everything but the contents
(QGraphicsWebViewPrivate::QGraphicsWebViewPrivate): some vars needed
for accelerated compositing
(QGraphicsWebViewPrivate::):
(QGraphicsWebViewPrivate::~QGraphicsWebViewPrivate):
(QGraphicsWebViewPrivate::setRootGraphicsLayer): make sure we have a
scrollbar overlay, and that the new graphics layer is parented by the
web-view
(QGraphicsWebViewPrivate::markForSync): flush changes at earliest
convenience or during the next draw

(QGraphicsWebViewPrivate::updateCompositingScrollPosition): sync the
position of the compositing layer with the scroll position
(QGraphicsWebViewPrivate::syncLayers): flush changes now
(QGraphicsWebViewPrivate::scroll): make sure we also move the
compositing layer
(QGraphicsWebViewPrivate::update): also update the overlay if needed
(QGraphicsWebView::QGraphicsWebView): initialize overlay with 0
(QGraphicsWebView::paint): paint only contents if we have an overlay,
sync the compositing layers now if needed
(QGraphicsWebView::setPage): also clean up the compositing
(QGraphicsWebView::updateGeometry): also update overlay geo
(QGraphicsWebView::setGeometry): also update overlay geo

Allows accesing QPixmap and QImage based arguments from Qt signals,
slots and properties
This is done by an intermediate object that can be turned into
web-based objects by calling either toHTMLImageElement() or
toDataURL()

(JSC::Bindings::QtPixmapInstance::defaultValue): nothing
(JSC::Bindings::QtPixmapInstance::valueOf): toString
(JSC::Bindings::data): holds a QVariant of type QImage/QPixmap
(JSC::Bindings::QtPixmapInstance::width): width of the image/pixmap
(JSC::Bindings::QtPixmapInstance::height): height of the image/pixmap
(JSC::Bindings::QtPixmapInstance::toPixmap): converts to a QPixmap
(JSC::Bindings::QtPixmapInstance::toImage): converts to a QImage
(JSC::Bindings::QtPixmapInstance::variantFromObject): makes sure this
is the right type of object, and creates a QVariant
(JSC::Bindings::QtPixmapInstance::createRuntimeObject): creates a new
intermediate pixmap holder from a QVariant
(JSC::Bindings::QtPixmapInstance::canHandle): returns true if a
QPixmap/QImage is required

bridge/qt/qt_pixmapruntime.h: Added.

bridge/qt/qt_runtime.cpp: hooks for the bridge

(JSC::Bindings::convertValueToQVariant): handle QPixmap/QImage if the
object is the intermediate pixmap holder or an HTMLImageElement
(JSC::Bindings::convertQVariantToValue): creates the intermediate
object from a QVariant of type QImage/QPixmap

Teach StyleSheet the difference between original and final URLs in
redirect chains. Unfortunately, StyleSheet needs to know both of these
URLs. The original URL is needed for the href property and the final
URL is needed as the baseURL.

This change required touching a lot of lines of code because we need to
plumb this information to the StyleSheet object. I audited all
existing clients of href() and setHref() to see whether they wanted the
original or final URLs. I then updated the clients (except the JS
bindings themselves) to use the correct accessor.

css/CSSStyleSheet.h:
(WebCore::CSSStyleSheet::create):
(WebCore::CSSStyleSheet::createInline): Added a new constructor to deal
with "inline" style sheets that don't have a distinct original and
final URL.

css/StyleBase.cpp:
(WebCore::StyleBase::baseURL): This code wants to use the final URL,
not the original URL. Updated it to grab the baseURL directly.

css/StyleSheet.cpp:
(WebCore::StyleSheet::StyleSheet):

css/StyleSheet.h:
(WebCore::StyleSheet::href):
(WebCore::StyleSheet::setBaseURL): This function really just updates
the base URL of the style sheet, so I made it more explicit.
(WebCore::StyleSheet::putativeBaseURL): We need an accessor for the
base URL, but baseURL is already taken.

loader/CachedCSSStyleSheet.cpp:
(WebCore::CachedCSSStyleSheet::didAddClient):
(WebCore::CachedCSSStyleSheet::checkNotify): This code now passes both
the original and final URL into setCSSStyleSheet so that the style
sheet can have both.

loader/CachedXSLStyleSheet.cpp:
(WebCore::CachedXSLStyleSheet::didAddClient):
(WebCore::CachedXSLStyleSheet::checkNotify): I don't have any direct
evidence that we need to change the XSLStyleSheet behavior, which is
why I wasn't able to add a test for the behavior. However, the objects
are parallel enough that it seemed like the right thing to do.

Disable the "seatbelt" coordinate validation functions in the
Skia graphics layer. We believe all the underlying bugs have
been fixed, but just in case we're being overly optimistic, this
leaves in the code for an easy revert.

Note, there still is an issue on GTK related to the rendering of
button heights. But we are rolling out this change since
we're going to rollout the change committed in change set 53591
<​http://trac.webkit.org/changeset/53591> because r53591 caused a
regression.

Fix the touch event handler so it does not bail out early if the main frame document does not have any touch listeners registered, as there may be embedded iframes that have registered for touch events.

Test: fast/events/touch/touch-inside-iframe.html

page/EventHandler.cpp:
(WebCore::EventHandler::handleTouchEvent): Instead of looking at the document of the main frame to see if touch event listeners are registered, look at the document of the target element to account for iframes.

Refactoring and plumbing to get the HTML5 SQL Database API accessible to
web workers. No new functionality is exposed yet; this just gets the
infrastructure in place. It touches a lot of files in small ways; here
are the main changes:

1) Database members and methods move from Document up to
ScriptExecutionContext. Each of Document and WorkerContext must
implement a few virtual methods where the Database code requires
differentiation.
2) Worker thread shutdown got changed a bunch to handle Database cleanup
and thread synchronization issues. Database cleanup tasks need to post
some cleanup tasks to the JavaScript thread. However, since database
cleanup may happen due to the destruction of the WorkerThread, I added a
handshake [involving WorkerThreadShutdownStartTask,
WorkerThreadShutdownFinishTask, and a DatabaseTaskSynchronizer] between
the Database thread and WorkerThread that cleans up all the Database
stuff before the WorkerThread's runLoop can exit.
3) The runtime enabler for the Database moved to a static variable
accessible through Database::isAvailable, following the model used by
WebSocket.
4) Worker threads don't run their JavaScript on the Main thread, so
Database code that differentiated between the Main thread and the
Database thread now need to deal with a third possibility.
5) Most of the other changes have to do with having a
ScriptExecutionContext pointer instead of a Document pointer when
dealing with a Database. In many cases it's just a string replacement,
but in some it required the creation of a new virtual function [e.g.
databaseExceededQuota, isDatabaseReadOnly]

This should improve the status page by removing more Fail messages.
To do this, I re-factored the CommitQueue and the AbstractReviewQueues
to behave more like one another. This meant moving where the failure reporting was done.
Previously the AbstractReviewQueue always used the parent process to report the error,
while CommitQueue used the subprocess when possible, and the parent only reported errors
that we didn't know how to handle (bugs in the commit-queue itself).
Now the AbstractReviewQueue follow's the commit-queue's model. This got rid of a try-block
in both implementations and required teaching handle_script_error in each to post Fail messages
to the status server instead of calling exit(1).

Don't exit(1) as that will cause the calling queue to also report Fail to the status server.
Implementors of handle_script_error are expected to update the status server if needed, but only exit if the error could not be handled.
So we instead pass patch_has_failed_this_queue=True to _update_status_for_script_error in the case that this was a real failure.
_update_status_for_script_error knows how to post the Fail message to the status server.

Teach _update_status_for_script_error how to post Fail messages to the status server.

Scripts/webkitpy/commands/queues.py:

Remove the try block from process_work_item since the caller already has one.

Only CC watchers on failure to cut down on commit-queue generated mail.

handle_unexpected_error needs to mark _did_fail now that the try block is gone from process_work_item.

Abstract _format_script_error_output_for_bug to share code between all queues.

The new _format_script_error_output_for_bug allows the style-queue to share the posting limit with other queues, as well as support linking to the full output.

[Qt] Fixes an issue where the height of <button>- and
<input type="button">- elements are fixed to the height of the
button label font plus padding. That is, the CSS height property
is being ignored.

Instead, we should honor the user-specified height, if appropriate
for the platform and context. Notice, the Mac ports do not honor the
height for <input type="button"> elements unless a border and/or
background is also specified.

Return early SVGUseElement::instanceForShadowTreeElement if m_targetElementInstance is zero.
This only happens if the SVGUseElement has just been removed from the document and EventHandler
tries to dispatch a mouseout event to the corresponding SVGElementInstance. This is not testable
using DRT unfortunately, so we have to add another manual testcase for that.

bindings/js/JSDOMWindowBase.cpp: (WebCore::JSDOMWindowBase::crossDomainAccessErrorMessage):
Changed the way we discover the url to match what the actual check does. Both old and new
code correctly fetch the URL of the current window displayed in frame, but going via
DOMWindowShell avoids crashing on null DOMWindow::m_frame pointer.

Add Leopard specific pixel test results where needed, most just show marginal 1px diffs, or even invisible changes,
only the filter test changed, but it visually looks the same - must be a Cg difference to the Snow Leopard baseline.
Now the pixel tests pass again with --tolerance 0 on my Leopard machine.

<rdar://problem/7562708> REGRESSION(53460): Heap::destroy may not run
all destructors

Reviewed by Oliver Hunt.

runtime/Collector.cpp:

(JSC::Heap::freeBlocks): Instead of fully marking protected objects,
just set their mark bits. This prevents protected objects from keeping
unprotected objects alive. Destructor order is not guaranteed, so it's
OK to destroy objects pointed to by protected objects before destroying
protected objects.

(WTF::IsSubclass): Determines if a class is a derived from another class.
(WTF::IsSubclassOfTemplate): Determines if a class is a derived from a
template class (with one parameter that is unknown).
(WTF::RemoveTemplate): Reveals the type for a template parameter.

WebCore:

Now the copier is able to handle types that derive from ThreadSafeShared.

(WebCore::AccessibilityMenuListOption::setSelected):
Return early if the object is not selectable.

WebKit/win:

AccessibleBase.cpp:

(AccessibleBase::accSelect):
If there is an invalid combination of state flags, return early. If the
caller passed the "take focus" flag, focus the object. If the "take
selection" flag was passed, check whether the parent object is an
AccessibilityListBox; if so, call the object's setSelectedChildren()
function. If the parent is an AccessibilityMenuListPopup, call the
child object's setSelected() function. Otherwise, if the parent is some
other, unsupported object, return early.
If the selection flags include "add", "remove", or "extend" selection,
and the parent object is not multi-selectable, return early. Otherwise,
set or unset the child's selected flag based on the passed flag.

Stabilize <use> scripting support - use tests are reliable now (tested using --repeach-each 50 --random -p)

Do not reclone trees anymore because of event listener changes, instead keep correspondingElement & shadowTreeElement
synchronized for each SVGElementInstance - any mutations on any event listeners are live, and take immediate effect,
w/o having to rely on a reclone - this was the root of several race conditions making the <use> tests flakey.

Fix SVGUseElement::instanceRoot() to force shadow tree creation, even if it was not attached so far - we can't wait
for finishedParsing() to be called which would recalculate the document style and attach the shadow tree as result.
This is now matching Operas behaviour.

Optimize createAttributeEventListener() to not create event listeners if the supplied Attribute isNull() - otherwhise
DOM calls like removeAttribute("onclick") cause a temporary JSEventListener to be created, added to the event listener
cache and removed afterwards.

bindings/js/ScriptEventListener.cpp:
(WebCore::createAttributeEventListener): Return early if the supplied attribute is null as discussed with Geoffrey.

dom/Node.cpp: Synchronize event listeners with all element instances, instead of marking the use elements to reclone.
(WebCore::instancesForSVGElement):
(WebCore::tryAddEventListener):
(WebCore::Node::addEventListener): When adding a listener, get a list of element instances and add it their as well.
(WebCore::tryRemoveEventListener):
(WebCore::Node::removeEventListener): Ditto for removals, but with special logic for listeners created from markup (see comments)

Extract Apache handling to httpd.pm module and use the provided functionality
in scripts where Apache is needed.
The module httpd.pm stores the PID of Apache in a variable and cleans up
the PID directory after Apache properly shut down. Catching INT and TERM
signals allows the scripts to close Apache and clean up its PID directory
even if the testing was interrupted.

(WebChromeClient::scrollRectIntoView): The scrollRect.move() call was
incorrectly converting the rect under the assumption that the frame view
is the same size as the WebView. Using convertRect:fromView: instead
is enough to fix the bug, but that code isn't needed since WebCore
already takes care of scrolling the main frame's document view, so it
was redundant to do it here too.

css/Media.h:
(WebCore::Media::create): Take and store a Frame pointer, like other similar objects do.
(WebCore::Media::disconnectFrame): Zero out the frame pointer (this is called from
DOMWindow::clear()).

css/Media.cpp:
(WebCore::Media::Media): Updated to storing Frame pointer.
(WebCore::Media::type): Ditto.
(WebCore::Media::matchMedium): Removed null check for document element - every document has
one. Also, every Frame has a document, so we only need to check for m_frame being zero.

Inject inspector script directly into the inspected context. All the
communication between the script and the frontend is serialized into
JSON strings. It allows to get rid of object quarantines in Web Inspector.

Inject inspector script directly into the inspected context. All the
communication between the script and the frontend is serialized into
JSON strings. It allows to get rid of object quarantines in Web Inspector.

Test that web inspector doesn't crash when opening if there are messages in
the console. Refactor test case due to InjectedScriptAccess changes.

Introduce ISODateTime::setMillisecondsSinceMidnight() and add a
SecondFormat parameter to ISODateTime::toString(). The main code
logic for type=time is implemented in
setMillisecondsSinceMidnightInternal() and toStringForTime()
because the logic is going to be used for other types.

(JSC::Bindings::CInstance::invokeMethod): Modified. Use renamed m_rootObject member
(JSC::Bindings::CInstance::invokeDefaultMethod): Modified. Use renamed m_rootObject member
(JSC::Bindings::CInstance::invokeConstruct): Modified. Use renamed m_rootObject member

bridge/jni/jni_runtime.cpp: Modified.

(JavaArray::JavaArray): Modified. Use renamed m_rootObject member
(JavaArray::rootObject): Modified. Use renamed m_rootObject member

bridge/objc/objc_instance.mm: Modified.

(ObjcInstance::invokeMethod): Modified. Use renamed m_rootObject member
(ObjcInstance::invokeDefaultMethod): Modified. Use renamed m_rootObject member
(ObjcInstance::getValueOfUndefinedField): Modified. Use renamed m_rootObject member

bridge/objc/objc_runtime.mm: Modified.

(JSC::Bindings::ObjcArray::valueAt): Modified. Use renamed m_rootObject member

bridge/qt/qt_runtime.cpp: Modified.

(JSC::Bindings::::rootObject): Modified. Use renamed m_rootObject member

This should improve the status page by removing more Fail messages.
To do this, I re-factored the CommitQueue and the AbstractReviewQueues
to behave more like one another. This meant moving where the failure reporting was done.
Previously the AbstractReviewQueue always used the parent process to report the error,
while CommitQueue used the subprocess when possible, and the parent only reported errors
that we didn't know how to handle (bugs in the commit-queue itself).
Now the AbstractReviewQueue follow's the commit-queue's model. This got rid of a try-block
in both implementations and required teaching handle_script_error in each to post Fail messages
to the status server instead of calling exit(1).

Don't exit(1) as that will cause the calling queue to also report Fail to the status server.
Implementors of handle_script_error are expected to update the status server if needed, but only exit if the error could not be handled.
So we instead pass patch_has_failed_this_queue=True to _update_status_for_script_error in the case that this was a real failure.
_update_status_for_script_error knows how to post the Fail message to the status server.

Teach _update_status_for_script_error how to post Fail messages to the status server.

Scripts/webkitpy/commands/queues.py:

Remove the try block from process_work_item since the caller already has one.

Only CC watchers on failure to cut down on commit-queue generated mail.

handle_unexpected_error needs to mark _did_fail now that the try block is gone from process_work_item.

Abstract _format_script_error_output_for_bug to share code between all queues.

The new _format_script_error_output_for_bug allows the style-queue to share the posting limit with other queues, as well as support linking to the full output.

Layout tests for ruby with malformed HTML.
Split up in individual tests, as well ass added a single combined test
(whose resulting render tree is probably completely different from what
you'd expect), since that combined test showed additional issues not
covered by the individual tests.

JavaScriptCore: When JavaScriptCore calls Debugger::Exception, have it pass a
hasHandler variable that represents if exception is being handled
in the same function (not in a parent on the call stack).

dom/Document.h:
(WebCore::Document::isHTMLDocument): Use a bit and an inline method
instead of a virtual method, since this is so hot and size of Document
is not a prime concern.
(WebCore::Document::create): Adapt for above.
(WebCore::Document::createXHTML): ditto

This exposes the child <option> elements in a format similar to
Firefox's: the <select> element has one child, a hidden list object,
and this list has as its children the <option> elements.

GNUmakefile.am:

WebCore.gypi:

WebCore.vcproj/WebCore.vcproj:

WebCore.xcodeproj/project.pbxproj:

Add new files to project.

accessibility/AXObjectCache.cpp:

(WebCore::AXObjectCache::getOrCreate):
If the element is a RenderMenuList, create an AccessibilityMenuList.
(WebCore::AXObjectCache::getOrCreate):
Add new types to create by role value.

accessibility/AccessibilityMenuList.cpp: Added.

(WebCore::AccessibilityMenuList::AccessibilityMenuList):
Call the base class constructor. Assert that the RenderObject passed
is a RenderMenuList.
(WebCore::AccessibilityMenuList::press):
Show or hide the popup menu.
(WebCore::AccessibilityMenuList::addChildren):
Create an AccessibilityMenuListPopup. If the platform ignores its
accessibility, remove it from the object cache and return early.
Otherwise, set its parent object to this object, add it to our list of
children, and tell it to add its children.
(WebCore::AccessibilityMenuList::childrenChanged):
Tell our child hidden list that its children changed.
(WebCore::AccessibilityMenuList::isCollapsed):
Return whether the popup menu is visible.

(WebCore::AccessibilityMenuListPopup::AccessibilityMenuListPopup):
Initialize the pointer to our parent list.
(WebCore::AccessibilityMenuListPopup::isVisible):
Return false; we're never considered visible.
(WebCore::AccessibilityMenuListPopup::isOffScreen):
Return true if the popup is collapsed.
(WebCore::AccessibilityMenuListPopup::parentObject):
Return our parent AccessibilityMenuList.
(WebCore::AccessibilityMenuListPopup::isEnabled):
Return true if our parent is enabled.
(WebCore::AccessibilityMenuListPopup::menuListOptionAccessibilityObject):
If the element is an <option> element, create a list item for it, and
set the object's element to this element.
(WebCore::AccessibilityMenuListPopup::press):
Call our parent's press() function to show or hide the popup menu.
(WebCore::AccessibilityMenuListPopup::addChildren):
Walk the select element's children, and create list items for them. Add
them to our list of children.
(WebCore::AccessibilityMenuListPopup::childrenChanged):
If any of our children have been detached from the document, remove
them from the AXObjectCache and from our child list.
(WebCore::AccessibilityMenuListPopup::setMenuList):

(AccessibleBase::get_accState):
If the object is invisible, set the invisible state flag. If the object
is collapsed, set the collapsed state. If the object is a combo box,
set the has popup flag, and if it's not collapsed, set the expanded
flag.
(MSAARole):
Add new WebCore to MSAA role mappings.

WebCoreLocalizedStrings.cpp:

(WebCore::AXMenuListActionVerb):
Return the action verb that Firefox uses for <select> elements with
popups.
(WebCore::AXMenuListPopupActionVerb):
Return the verb that Firefox uses for a popup list.

(AccessibilityUIElement::showMenu):
Call the object's accDoDefaultAction() to show its popup menu.
(AccessibilityUIElement::isEnabled):
Check that the object does not have the "unavailable" state.
(AccessibilityUIElement::isVisible):
Check that the object does not have the "invisible" state.
(AccessibilityUIElement::isOffScreen):
Check whether the object has the "offscreen" state.
(AccessibilityUIElement::isCollapsed):
Check whether the object has the "collapsed" state.
(AccessibilityUIElement::hasPopup):
Check whether the object has the "has popup" state.

platform/graphics/mac/GraphicsLayerCA.mm:
(WebCore::GraphicsLayerCA::~GraphicsLayerCA): We need to clear the layer owner on the content
layer, since we're setting it for WebGL layers now.

(WebCore::GraphicsLayerCA::didDisplay): Handle didDisplay() calls for the content layer,
as well as the main layer now, getting the correct layer to copy contents from, and using
the correct clone map.

(WebCore::GraphicsLayerCA::setContentsToGraphicsContext3D): Set the layer owner for WebGL
layers, because we need the didDisplay() callback.

Rework toArray to extract elements in to a vector rather than handing out raw pointers. This prevents
callers from forgetting to free the memory, and gives them the option of using stack buffers for
sufficiently small allocations.

If updateCompositingLayers() was called with an updateRoot that was a reflection layer,
then we would determine that the layer does not require compositing, and tear down its
backing (without clearing replicaLayer() on the source layer's GraphicsLayer).

Fix by changing requiresCompositingLayer() on a reflection layer to always give the
same answer for a reflection and its original.

Also add various belt-and-brances code and null checks to ensure that if we ever end up
with a non-composited reflection layer, we won't crash.

No new tests, because the crash depends on timing issues that are hard to reproduce in a test.

platform/graphics/GraphicsLayer.h:
(WebCore::GraphicsLayer::replicaLayer): Make this public so we can use it in an assertion.

(WebCore::RenderLayerCompositor::rebuildCompositingLayerTree): Null-check reflection->backing().
(WebCore::RenderLayerCompositor::updateLayerTreeGeometry): Null-check reflection->backing().
(WebCore::RenderLayerCompositor::updateCompositingDescendantGeometry): reflection->backing().
(WebCore::RenderLayerCompositor::requiresCompositingLayer): If being called for a reflection layer,
use the source layer to answer the question.

No new tests. This just adds a couple of out parameters for the benefit of WebKit clients.

WebCore.base.exp:

Updated mangled signature for export.

page/Frame.cpp:

(WebCore::Frame::searchForLabelsAboveCell):
Now fills in an out parameter with the number of characters from the start of the cell.
(WebCore::Frame::searchForLabelsBeforeElement):
Now fills in an out parameter with the distance as a number of characters, and another
with a bool for whether the result was in a table cell above the current cell (otherwise
it was found in the text before this element and after the previous element or start of form).

page/Frame.h:

Updated signatures.

page/mac/FrameMac.mm:

(WebCore::Frame::searchForNSLabelsAboveCell):
Same as above. This is a parallel copy of the function using Mac-specific data structures.
(WebCore::Frame::searchForLabelsBeforeElement):
Ditto

(-[WebHTMLRepresentation searchForLabels:beforeElement:]):
Now calls through to searchForLabels:beforeElement:resultDistance:resultIsInCellAbove.
(-[WebHTMLRepresentation searchForLabels:beforeElement:resultDistance:resultIsInCellAbove:]):
New method, calls through to WebCore.

WebKit/win:

Reviewed by Darin Adler

Interfaces/IWebHTMLRepresentation.idl:

Created variant of searchForLabels that includes additional in/out parameters resultDistance and resultIsInCellAbove.

Interfaces/WebKit.idl:

Touched in order to get other idl change to propagate correctly.

WebHTMLRepresentation.cpp:

(WebHTMLRepresentation::deprecatedSearchForLabels):
Renamed since iDL doesn't support two functions with the same name but different signatures.
(WebHTMLRepresentation::searchForLabels):
Implemented variant of searchForLabels that includes additional in/out parameters resultDistance and resultIsInCellAbove.

WebHTMLRepresentation.h:

Declared variant of searchForLabels that includes additional in/out parameters resultDistance and resultIsInCellAbove.

OpenVG is not tied to EGL per se, EGL just happens to be
the only usable backend for OpenVG state and painting
at the time of writing.

The purpose of the SurfaceOpenVG class is to provide
an EGL-independent interface for OpenVG-specific code.
The EGLDisplayOpenVG class takes care of keeping track
of EGL displays, surfaces and contexts. It also makes
sure that all created contexts are interoperable, and
that different surfaces use a single context if possible.

Some listbox tests check selection behavior by click events with
"meta" or "shift" keys. Behaviors for such modifier keys are
platform-dependent. The new parameter of mouseDown() and mouseUp()
allows to specify not only concrete modifier keys such as
"shiftKey" "metaKey", but also functional names like
"addSelectionKey" "rangeSelectionKey".

animations/play-state.html:
Undo my previous change of decreasing the length of the test. I think that made it more flaky.
Also increase the tolerance.

transitions/cancel-transition.html:
Undo my previous change of moving the setTimeout. It was correct where it was.
Added a comment to make it more clear. The tolerances were increased since then though,
so this test should no longer be flaky after this.

Fixes an issue in the Apple Mac port where ScrollView::platformVisibleContentRect
returns the rectangle of the document within the content view of
the scroll view (i.e. the rectangle not including scrollbars) when
the parameter includeScrollbars == true

Currently, this behavior contradicts both the comment in ScrollView.h
for method visibleContentRect as well as the behavior in
ScrollView::visibleContentRect() for a platform-independent scroll view.

Instead, it should return the rectangle whose dimensions include
the scrollbars.

Also, removes some extra whitespace at the end of the lines.

No tests included because we cannot test this using either DRT
or a manual test.

platform/mac/ScrollViewMac.mm:
(WebCore::ScrollView::platformVisibleContentRect): If includeScrollbars == true
then return the rectangle whose dimensions are that of
the frame (i.e. -[NSScrollView frame]).

Refactors the TimelineRecordFactory and InspectorTimelineAgent to support reporting data
when closing a record. Also includes grabbing the start and end line number for parse HTML
records as a reference use case for the above refactor

Pass the WebKitWebView object (which is a GObject, thus
ref-counted) to the clipboard functions instead of passing the
Page - this allows us to explicitely protect the object inbetween
the clipboard call and its callbacks, which fixes the crash.

Implements an optimization to ignore fixed background images
(i.e. background-attachment: fixed) when a page does not contain
any fixed position elements so as to allow fast repaints (via bit
blit) when scrolling a page.

Currently, if a page has elements that specify either a fixed
background or a fixed position then we perform a slow repaint
(i.e disable blitting) so as to avoid rendering artifacts.
However, on low-powered/mobile devices slow repaints can cause
noticeable delays when scrolling a page with a fixed background
image. By sacrificing support for fixed background images when
there are no fixed elements on the page and with come care, we
don't need to force slow repaints and can avoid rendering artifacts.
Hence, on such devices we can improve the responsiveness of
scrolling a page with a fixed background image.

Note, this optimization is only enabled if the WebKit is built
with FAST_MOBILE_SCROLLING enabled.

Tests: fast/fast-mobile-scrolling/fixed-position-element.html

fast/fast-mobile-scrolling/no-fixed-position-elements.html

rendering/RenderBoxModelObject.cpp:
(WebCore::RenderBoxModelObject::calculateBackgroundImageGeometry):
Disable fixed background attachment if we can blit on scroll.

Inject inspector script directly into the inspected context. All the
communication between the script and the frontend is serialized into
JSON strings. It allows to get rid of object quarantines in Web Inspector.

Inject inspector script directly into the inspected context. All the
communication between the script and the frontend is serialized into
JSON strings. It allows to get rid of object quarantines in Web Inspector.

Place larger margins before clicking position to grab certain words
instead of clicking blank, whitespaces or tabs before that words.
Note that widths of rendered tab characters are hard to predict,
So such margins are particularly helpful with them.

This bug was caused by a GC-protected object being destroyed early by
Heap::destroy. Clients of the GC protect APIs (reasonably) expect pointers
to GC-protected memory to be valid.

The solution is to do two passes of tear-down in Heap::destroy. The first
pass tears down all unprotected objects. The second pass ASSERTs that all
previously protected objects are now unprotected, and then tears down
all perviously protected objects. These two passes simulate the two passes
that would have been required to free a protected object during normal GC.

API/JSContextRef.cpp: Removed some ASSERTs that have moved into Heap.

runtime/Collector.cpp:

(JSC::Heap::destroy): Moved ASSERTs to here.
(JSC::Heap::freeBlock): Tidied up the use of didShrink by moving its
setter to the function that does the shrinking.
(JSC::Heap::freeBlocks): Implemented above algorithm.
(JSC::Heap::shrinkBlocks): Tidied up the use of didShrink.

This bug was caused by a GC-protected object being destroyed early by
Heap::destroy. Clients of the GC protect APIs (reasonably) expect pointers
to GC-protected memory to be valid.

The solution is to do two passes of tear-down in Heap::destroy. The first
pass tears down all unprotected objects. The second pass ASSERTs that all
previously protected objects are now unprotected, and then tears down
all perviously protected objects. These two passes simulate the two passes
that would have been required to free a protected object during normal GC.

API/JSContextRef.cpp: Removed some ASSERTs that have moved into Heap.

runtime/Collector.cpp:
(JSC::Heap::destroy): Moved ASSERTs to here.
(JSC::Heap::freeBlock): Tidied up the use of didShrink by moving its
setter to the function that does the shrinking.
(JSC::Heap::freeBlocks): Implemented above algorithm.
(JSC::Heap::shrinkBlocks): Tidied up the use of didShrink.

Also modifies JavaField::name and JavaMethod::name to return const JavaString&, rather than UString::Rep*,
which is JSC-specific. This allows this code to be used with both JSC and V8, as required by Android.

(JSC::Bindings::JavaString::JavaString): Modified. Pass through to implementation.
(JSC::Bindings::JavaString::UTF8String): Modified. Pass through to implementation.
(JSC::Bindings::JavaString::uchars): Modified. Pass through to implementation.
(JSC::Bindings::JavaString::length): Modified. Pass through to implementation.
(JSC::Bindings::JavaString::operator UString): Modified. Pass through to implementation.
(JSC::Bindings::JavaField::name): Modified. Pass through to implementation.
(JSC::Bindings::JavaMethod::name): Modified. Pass through to implementation.

Rewrite <use> support in less intrusive way. Try hard to avoid recloning where possible, and do it lazily.
Introduce RenderSVGShadowTreeRootContainer as special renderer for SVGUseElement, that now manages the
render tree, instead of SVGUseElement manually hacking around it's own renderer from the DOM side.

Instead of recloning the whole shadow tree for every attribute change (DOM setAttribute / SVG DOM changes / CSS changes / childrenChanged()...)
just notify the RenderSVGShadowTreeRootContainer that it's supposed to reclone the tree upon the next updateFromElement() call.

updateFromElement() is fired from SVGUseElement::attach() / recalcStyle(), as it's done for HTMLFormControlElement/HTMLMediaElement, thus
lazily recloning the shadow tree if necessary.

Animations for <use> elements was a real performance bottlenck as the tree got recloned on every attribute change. Reclones are _completly_
avoided for animations now - the SVGAnim*Element classes already updated the instances of an element manually, though that resulted in a reclone
nontheless, and thus killing performance. <use> elements can only be recloned through mutations of the elements that they reference to.
For example referencing a <rect> element from a <use> element and scripting the <rect> element (setAttribute, or child tree mutations etc.).
We reclone instead of trying to synchronize trees - as it's currenty implemented - because it's very hard to do it right.

Any DOM / SVG DOM / CSS change on the <use> element don't reclone the tree anymore, this is a huge speed benefit.
x/y attribute changes are correctly handled in the render tree now (by an additional local transformation), now percentual values work
as expected, and resize on window changes - affecting lots of testcases.

The <use> implementation is much safer now, not doing any mutations synchronously from svgAttributeChanged etc.
Remove hack to force garbage collection on SVGElementInstance destruction - can't reproduce it anymore.

Android.mk: Add new files to build.

GNUmakefile.am: Ditto.

WebCore.gypi: Ditto.

WebCore.pro: Ditto.

WebCore.vcproj/WebCore.vcproj: Ditto.

WebCore.xcodeproj/project.pbxproj: Ditto.

rendering/RenderSVGShadowTreeRootContainer.cpp: Added. This is the rendered now created by SVGUseElement.
(WebCore::RenderSVGShadowTreeRootContainer::RenderSVGShadowTreeRootContainer):
(WebCore::RenderSVGShadowTreeRootContainer::~RenderSVGShadowTreeRootContainer):
(WebCore::RenderSVGShadowTreeRootContainer::updateStyle): Used form SVGUseElement to request style recalculations for the shadow tree renderers
(WebCore::RenderSVGShadowTreeRootContainer::updateFromElement): Used from SVGUseElement attach/recalcStyle to eventually request shadow tree updates.
(WebCore::RenderSVGShadowTreeRootContainer::styleDidChange): Used to propage style updates across shadow tree boundaries.

rendering/RenderSVGShadowTreeRootContainer.h: Added.
(WebCore::RenderSVGShadowTreeRootContainer::markShadowTreeForRecreation): Marks the shadow tree for a reclone, next time updateFromElement is used.

rendering/RenderSVGTransformableContainer.cpp:
(WebCore::RenderSVGTransformableContainer::calculateLocalTransform): Take containerTranslation() into account, supplied by RenderSVGSDhadowTreeContainer.

rendering/SVGShadowTreeElements.cpp: Added. This is the root element of the SVG shadow tree residing as (hidden) child of SVGUseElement (DOM wise).
(WebCore::SVGShadowTreeContainerElement::SVGShadowTreeContainerElement):
(WebCore::SVGShadowTreeContainerElement::~SVGShadowTreeContainerElement):
(WebCore::SVGShadowTreeContainerElement::containerTranslation): Used from calculateLocalTransform() to take x/y translation into account for shadow tree container elements.
(WebCore::SVGShadowTreeRootElement::SVGShadowTreeRootElement):
(WebCore::SVGShadowTreeRootElement::~SVGShadowTreeRootElement):
(WebCore::SVGShadowTreeRootElement::attachElement): Used by RenderSVGShadowTreeRootContainer, instead of attach(), as we're a shadow tree root node.

rendering/SVGShadowTreeElements.h: Added. This is the root element of each SVG shadow sub-tree (whenever a <use> element is expanded in the shadow tree).
(WebCore::SVGShadowTreeContainerElement::isShadowTreeContainerElement): Return true here.
(WebCore::SVGShadowTreeContainerElement::setContainerOffset): Used from SVGUseElement to propagate x/y translation values set on <use> elements in the shadow tree.
(WebCore::SVGShadowTreeRootElement::isShadowNode): Identify us as shadow node.
(WebCore::SVGShadowTreeRootElement::shadowParentNode): Ditto. Return actual shadow parent node (== corresponding use element).

svg/SVGElement.cpp: Shrink size of all SVG*Elements, by removing the m_shadowParent parent. SVGShadowTreeRootElement is the new base class for shadow tree.
(WebCore::SVGElement::SVGElement):
(WebCore::SVGElement::eventParentNode): Call virtual shadowParentNode() method, instead of accessing m_shadowParent.

When we create the document fragment from a markup string,
either to perform a paste operation or a drag and drop, we
want to remove all the event handlers and any attribute that contain
a value that leads to code execution.
The HTMLParser class is now aware of the needs of stripping these attributes.
I've modified the call to createMarkupString for every platform.

When we create the document fragment from a markup string,
either to perform a paste operation or a drag and drop, we
want to remove all the event handlers and any attribute that contain
a value that leads to code execution.
The HTMLParser class is now aware of the needs of stripping these attributes.
I've modified the call to createMarkupString for every platform.

(WebCore::RenderBlock::layoutInlineChildren): Copy bottom overflow from the last
root box to the trailing floats box, which is becoming the last root box. This is
needed because painting code assumes that the last line in a block is the one with the
lowest overflow bottom.

websocket/tests/multiple-connections.html: Decrease the number of simultaneous connections
from 100 to 50. On Windows buildbot, only ~70 connections are allowed for some reason - but
we only need much fewer to compare to HTTP simultaneous connection limit anyway.

(WebCore::Document::setDomain): If domain relaxation is forbidden for
our security origin's scheme, throw an exception and don't allow
the domain to be set.

page/SecurityOrigin.cpp:

(WebCore::schemesForbiddenFromDomainRelaxation): Added. Returns a
global set of schemes.
(WebCore::SecurityOrigin::setDomainRelaxationForbiddenForURLScheme):
Add or remove the scheme to schemesForbiddenFromDomainRelaxation, as
appropriate.
(WebCore::SecurityOrigin::isDomainRelaxationForbiddenForURLScheme):
Returns true if the scheme is in schemesForbiddenFromDomainRelaxation.

page/SecurityOrigin.h: Added

{set,is}DomainRelaxationForbiddenForURLScheme.

WebKit/mac:

Add +[WebView _setDomainRelaxationForbidden:forURLScheme:]

WebView/WebView.mm:

(+[WebView _setDomainRelaxationForbidden:forURLScheme:]):

WebView/WebViewPrivate.h:

Added. Calls through to SecurityOrigin.

WebKit/win:

Add IWebViewPrivate::setDomainRelaxationForbiddenForURLScheme

Interfaces/IWebViewPrivate.idl: Added

setDomainRelaxationForbiddenForURLScheme.

Interfaces/WebKit.idl: Touched to force a build.

WebView.cpp:

(WebView::setDomainRelaxationForbiddenForURLScheme):

WebView.h:

Added. Calls through to SecurityOrigin.

WebKitTools:

Add LayoutTestController support for calling new WebKit SPI to
disallow setting document.domain

When the last line of a block contains a line break and there are floats
after the line break, it is incorrect to put those floats in the last line's
floats vector (along with floats from before the break). Instead, create
an additional line box (a TrailingFloatsRootInlineBox) and put those floats
in its floats vector.

WebCore.vcproj/WebCore.vcproj: Added TrailingFloatsRootInlineBox.h

WebCore.xcodeproj/project.pbxproj: Ditto.

rendering/RenderBlock.cpp:

(WebCore::RenderBlock::markLinesDirtyInVerticalRange): Added an optional
parameter, which is the highest line to dirty.

rendering/RenderBlock.h:

rendering/RenderBlockLineLayout.cpp:

(WebCore::RenderBlock::layoutInlineChildren): Create a TrailingFloatsRootInlineBox
for the floats occurring after the line break on the last line.
(WebCore::RenderBlock::determineStartPosition): Prevent dirtying of lines
above the first dirty line.

This change reverts things to their pre-r49485 state. That revision
(and, subsequently, r49664 and r51788) started passing /useenv to
Visual C++, even in cases where we don't want to do so (such as when
invoking Visual C++ Express), in the name of making the Chromium build
work. Now that Chromium isn't using buildVisualStudioProject or
pdevenv, we can put things back they way they were.

(buildVisualStudioProject): Never pass /useenv anymore. pdevenv takes
care of this itself, and we don't want to pass /useenv when not using
pdevenv (e.g., when using VC++ Express, because that will cause it to
ignore the Platform SDK).

When posting a commit-queue+ patch with land-safely, we should
obsolete the old patches on the bug. They're really confusing
because the main use case is to address reviewer feedback on a
previous patch.

Following up on changes made with respect to bug #33498, we should
fix the the style errors found by the style bot.

Moreover, this fixes all the style errors found by check-webkit-style
except the use of an underline in the variable name _niflags. We should
fix this in a second run through for all the other variables names that
contain an underline because there are many.

If we don't link with def files, then we have to pass EXPORTUNFROZEN,
so that the build system still creates the .dso files in
release/armv5/lib and we can actually link against the created QtWebKit
dlls.

When computing the bounds for elements in a mask, we iterate through
all of our children requesting their repaint bounds using
repaintRectInLocalCoordinates(), but we were not converting that
rect into our own coordinate system, thus leading to an incorrect
repaint rect. This patch simply adds the missing localToParent
transform.